2
responses

Hi everyone,

I would like to add my custom field to log at first place in log. But if i added Exec $senderversion = "3.5.563"; the field will be at last place in log.

is there some way to add a field to the first place ?

My configuration and log sample are below.

Thanks for any answer.

<Extension _json>
    Module  xm_json
</Extension>

<Input eventlog>
    Module im_msvistalog
    Exec delete($EventTime);
    Exec delete($EventReceivedTime);
    Exec delete($SourceModuleName);
    Exec delete($SourceModuleType);
    Exec $senderversion = "3.5.563";
</Input>

<Output tcp_event>
    Module      om_tcp
    Host        198.19.254.112
    Port        514
    Exec to_json();
</Output>

<Route logmanager1>
    Path eventlog => tcp_event
</Route>

My logs now looks like this:

{"Hostname":"win_template.nxlog.matej","Keywords":-9214364837600034816,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4634,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"Task":12545,"OpcodeValue":0,"RecordNumber":214127,"ProcessID":644,"ThreadID":3508,"Channel":"Security","Message":"An account was logged off.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tWIN_TEMPLATE$\r\n\tAccount Domain:\t\tNXLOG\r\n\tLogon ID:\t\t0x241DC39F\r\n\r\nLogon Type:\t\t\t3\r\n\r\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.","Category":"Logoff","Opcode":"Info","TargetUserSid":"S-1-5-18","TargetUserName":"WIN_TEMPLATE$","TargetDomainName":"NXLOG","TargetLogonId":"0x241dc39f","LogonType":"3","senderversion":"3.5.563"}

I would like to make the log look like this:

{"senderversion":"3.5.563","Hostname":"win_template.nxlog.matej","Keywords":-9214364837600034816,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4634,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"Task":12545,"OpcodeValue":0,"RecordNumber":214127,"ProcessID":644,"ThreadID":3508,"Channel":"Security","Message":"An account was logged off.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tWIN_TEMPLATE$\r\n\tAccount Domain:\t\tNXLOG\r\n\tLogon ID:\t\t0x241DC39F\r\n\r\nLogon Type:\t\t\t3\r\n\r\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.","Category":"Logoff","Opcode":"Info","TargetUserSid":"S-1-5-18","TargetUserName":"WIN_TEMPLATE$","TargetDomainName":"NXLOG","TargetLogonId":"0x241dc39f","LogonType":"3"}

AskedJuly 1, 2019 - 1:30pm

Answer (1)

There is no way to sort the fields currently that I know of. Not without re-writing the JSON with xm_perl or similar.
Though if this field is pretty static, you could do something like the following after your to_json() directive:
Exec $raw_event =~ s/^{/{"senderversion":"3.5.563",/;

This should rewrite the first open bracket to include your value using regex substitution.

Comments (1)